Bug 1334976, use a new attribute in the builtins root CA list, to dis…

…tinguish between Mozilla policy CAs and other CAs, code changes, r=rrelyea
sailfishos-mirror · Feb 9, 2017 · 22ffa92 · 22ffa92
1 parent 93ac86e
commit 22ffa92
Show file tree

Hide file tree

Showing 4 changed files with 67 additions and 1 deletion.
diff --git a/cmd/addbuiltin/addbuiltin.c b/cmd/addbuiltin/addbuiltin.c
@@ -31,6 +31,29 @@ dumpbytes(unsigned char *buf, int len)
     printf("\n");
 }
 
+int
+hasPositiveTrust(unsigned int trust)
+{
+    if (trust & CERTDB_TRUSTED) {
+        if (trust & CERTDB_TRUSTED_CA) {
+            return PR_TRUE;
+        } else {
+            return PR_FALSE;
+        }
+    } else {
+        if (trust & CERTDB_TRUSTED_CA) {
+            return PR_TRUE;
+        } else if (trust & CERTDB_VALID_CA) {
+            return PR_TRUE;
+        } else if (trust & CERTDB_TERMINAL_RECORD) {
+            return PR_FALSE;
+        } else {
+            return PR_FALSE;
+        }
+    }
+    return PR_FALSE;
+}
+
 char *
 getTrustString(unsigned int trust)
 {
@@ -202,6 +225,11 @@ ConvertCertificate(SECItem *sdder, char *nickname, CERTCertTrust *trust,
         printf("CKA_VALUE MULTILINE_OCTAL\n");
         dumpbytes(sdder->data, sdder->len);
         printf("END\n");
+        if (hasPositiveTrust(trust->sslFlags) ||
+            hasPositiveTrust(trust->emailFlags) ||
+            hasPositiveTrust(trust->objectSigningFlags)) {
+            printf("CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE\n");
+        }
     }
 
     if ((trust->sslFlags | trust->emailFlags | trust->objectSigningFlags) ==

diff --git a/cmd/lib/secutil.c b/cmd/lib/secutil.c
@@ -32,7 +32,7 @@
 #include "certt.h"
 #include "certdb.h"
 
-/* #include "secmod.h" */
+#include "secmod.h"
 #include "pk11func.h"
 #include "secoid.h"
 
@@ -3229,6 +3229,8 @@ SEC_PrintCertificateAndTrust(CERTCertificate *cert,
     SECStatus rv;
     SECItem data;
     CERTCertTrust certTrust;
+    PK11SlotList *slotList;
+    const char *moz_policy_ca_info = NULL;
 
     data.data = cert->derCert.data;
     data.len = cert->derCert.len;
@@ -3238,6 +3240,34 @@ SEC_PrintCertificateAndTrust(CERTCertificate *cert,
     if (rv) {
         return (SECFailure);
     }
+
+    slotList = PK11_GetAllSlotsForCert(cert, NULL);
+    if (slotList) {
+        PK11SlotListElement *se = PK11_GetFirstSafe(slotList);
+        for ( ; se; se = PK11_GetNextSafe(slotList, se, PR_FALSE)) {
+            CK_OBJECT_HANDLE handle = PK11_FindCertInSlot(se->slot, cert, NULL);
+            if (handle != CK_INVALID_HANDLE) {
+                PORT_SetError(0);
+                if (PK11_HasAttributeSet(se->slot, handle,
+                                         CKA_NSS_MOZILLA_CA_POLICY, PR_FALSE)) {
+                    moz_policy_ca_info = "true (attribute present)";
+                } else {
+                    if (PORT_GetError() != 0) {
+                        moz_policy_ca_info = "false (attribute missing)";
+                    } else {
+                        moz_policy_ca_info = "false (attribute present)";
+                    }
+                }
+            }
+        }
+        PK11_FreeSlotList(slotList);
+    }
+
+    if (moz_policy_ca_info) {
+        SECU_Indent(stdout, 1);
+        printf("Mozilla-CA-Policy: %s\n", moz_policy_ca_info);
+    }
+
     if (trust) {
         SECU_PrintTrustFlags(stdout, trust,
                              "Certificate Trust Flags", 1);

diff --git a/lib/nss/nss.def b/lib/nss/nss.def
@@ -1097,3 +1097,9 @@ PK11_VerifyWithMechanism;
 ;+    local:
 ;+       *;
 ;+};
+;+NSS_3.30 { 	# NSS 3.30 release
+;+    global:
+PK11_HasAttributeSet;
+;+    local:
+;+       *;
+;+};
diff --git a/lib/util/pkcs11n.h b/lib/util/pkcs11n.h
@@ -93,6 +93,8 @@
 #define CKA_NSS_JPAKE_X2 (CKA_NSS + 32)
 #define CKA_NSS_JPAKE_X2S (CKA_NSS + 33)
 
+#define CKA_NSS_MOZILLA_CA_POLICY (CKA_NSS + 34)
+
 /*
  * Trust attributes:
  *